Pages

Thursday, October 24, 2019

Privacy Bill Could Put Dishonest Tech Execs Behind Bars


Technology Fails: I’m just here for the LOLZ.

Tax Commissioner attacks 'out of control' press over whistleblower reporting


Chris Jordan has accused the media of "deliberately sensationalist" reporting over allegations the ATO was ripping money out of individual accounts.



Huang Xiangmo brands Tax Office a 'despicable tool of political persecution'

Exiled Chinese billionaire Huang Xiangmo, a central figure in ICAC's inquiry into Labor donations, launched the extraordinary attack as he fights a $140 million tax bill.

Federal government refuses to release details of taxpayer-owned buildings which might be a fire hazard

The material was a major factor in the deadly Grenfell Tower fire in London which claimed 72 lives, and a blaze at Melbourne's Lacrosse Tower in 2014.



The Panama Papers inspired film, The Laundromat, hit Netflix over the weekend, garnering mixed responses. While some are less than impressed with Steven Soderbergh’s style, others are praising Meryl Streep’s acting. Either way, it appears the attempt by the Mossack Fonseca co-founders to stop the film going live has done nothing other than promote it to an even broader audience.

INDIA’S DEVICES

Medical devices in India are set to be regulated and registered in the same way that drugs come December. New laws will also force manufacturers and importers to report adverse events to regulators. The crackdown comes nearly a year after our local partners, the Indian Express, revealed - as part of our Implant Files collaboration - that just 23 devices (out of about 5,000) were registered.

ROBOT POWER

“What this does is help you find more documents that you wouldn’t have been able to find with a plain text search,” John Keefe, an editor at Quartz,   explained last week during our inaugural ICIJ Labs webinar. Expounding on artificial intelligence, Keefe told the attendant journalists that machine learning is the use of complex code to create programs that can detect patterns and sort information faster than any team of humans can. (Fewf!)

‘FIGHT FOR JUSTICE’

Last week marked two years since the assassination of Maltese investigative reporter Daphne Caruana Galizia. She was working on stories related to the Panama Papers in the lead up to her death. Vigils were held in several cities across Europe to honor her memory. “The fight for justice must continue, for her family’s sake, for Malta’s sake and for the sake of press freedom around the world,” said ICIJ director Gerard Ryle.

Alexa and Google Home abused to eavesdrop and phish passwords

technica – Amazon- and Google-approved apps turned both voice-controlled devices into “smart spies”. – “By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials. Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn’t just theoretical. Whitehat hackers at Germany’s Security Research Labs developed eight apps—four Alexa “skills” and four Google Home “actions”—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these “smart spies,” as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords…”


Jennie Granger: Revamping the tax office shouldn’t be taxing

Nextgov October 18, 2019
A congressional privacy hawk wants to put the power of people’s personal data back into their own hands—and punish corporations that aren’t transparent about information collection with high fines and prison time. The Mind Your Own Business Act, introduced Thursday by Sen. Ron Wyden, D-Ore., grants the Federal Trade Commission resources and six new authorities to establish stricter protections that safeguard Americans’ data and impose tougher penalties against companies that lie about their data collection and use. “[The bill] is based on three basic ideas,” Wyden said in a statement. “Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.” If passed, the legislation would enable the agency to add 175 new members to its staff. The FTC would also be tasked with creating minimum privacy and cybersecurity standards to products and services that process consumer data and would allow.

The Hill
October 18, 2019
Sen. Maggie Hassan (D-N.H.) this week urged the Government Accountability Office (GAO) to look into how the federal government is supporting state and local governments that have been hit by debilitating cyberattacks over the past few months. In a letter sent to GAO on Thursday, Hassan noted that “ransomware is a serious and growing threat to government operations at the federal, state, and local level,” and asked that GAO review and issue a report on current federal efforts to assist state and local government entities to protect their systems against ransomware attacks. These attacks, which have been increasingly widespread across the country this year, involve a malicious actor or group gaining access to a network, encrypting it, and then asking the user to pay a ransom in order to gain back access. Hassan asked that the GAO give evaluating ransomware assistance its “prompt attention,” and noted that is an area of “great concern” to the Senate Homeland Security and Governmental Affairs Committee, on which Hassan serves.

FCW
October 16, 2019
Officials at the Cybersecurity and Infrastructure Security Agency have told lawmakers that there have been at least a half dozen instances over the past year where they have been unable to adequately respond to known cyber risks because they could not identify the owners of vulnerable IP addresses. The agency is pressing Congress for new administrative subpoena powers to compel internet service providers to turn over subscriber information for IP addresses associated with critical infrastructure. In a legislative proposal to Congress seen by FCW, the agency claimed the lack of such authority has left vulnerabilities unmitigated and potential victims "exposed." "In the past year alone, there have been at least six occasions in which CISA has been delayed, restricted, or altogether foreclosed in responding to known and actionable cyber risks because it lacked a way to identify the targets," the agency told Congress. The proposal, submitted to the House and Senate Homeland Security Committees in June, did not provide details about the occasions, potential victims or whether the incidents involved critical infrastructure.

FCW
October 16, 2019
Representatives of commercial telecommunications and IT gear told the House Homeland Security Committee that additional liability protections are needed to share information about companies and products they fear might harbor cybersecurity threats. Although the 2015 Cybersecurity Information Sharing Act provided liability cover for companies to share specific indicator data from cyberattacks, it didn't provide such cover for actual products, Robert Mayer, senior vice president, cybersecurity, at USTelecom, told an Oct. 16 House Homeland Security Committee panel on supply chain security. "What we don't have is a situation where an organization has a piece of equipment where they discover software or malware or a pattern of activities makes them suspicious" can be shared comfortably among companies, he told committee Chairman Rep. Bennie Thompson, (D-Miss.). That kind of explicit information on such a threat from a product, "would be very beneficial to share" within the commercial ecosystem, said Mayer.

Nextgov
October 15, 2019
The House Homeland Security Committee returned to the scene of one of Russia’s direct attacks on U.S. elections in 2016 on Tuesday to discuss how the state of Illinois—and the nation at large—have improved election security since the last presidential election. In 2016, Russians hacked an Illinois Board of Elections voter registration database, compromising the information of some 76,000 voters and instilling confusion, despite investigations that showed no votes were changed or altered by the bad actors. At the field hearing, state officials said Illinois partnered with federal partners, including the Department of Homeland Security, and invested more than $13 million in security upgrades and digital vulnerability assessments for its 108 voting jurisdictions. However, like most states, Illinois has more challenges than it can fully address, given budgetary restrictions and short timelines. Steve Sandvoss, executive director of the Illinois Board of Elections, said approximately two-thirds of its 108 voting jurisdictions do not have the resources to employ an IT division and likely only have a single vendor-contracted employee responsible for things like patching electronic voting machines.


ADMINISTRATION

Nextgov
October 18, 2019
The Defense Department is less than three months away from finalizing its framework for measuring vendors’ cybersecurity practices, and industry has a lot to say about the program. Over the past six weeks, the Pentagon received more than 2,000 comments on the first public draft of the Cybersecurity Maturity Model Certification, or CMMC, according to Ellen Lord, the department’s undersecretary for acquisition and sustainment. The framework would serve as a yardstick for measuring the strength of different contractors’ digital defenses, allowing Pentagon officials to ensure vendors are appropriately protecting the sensitive military data that resides on their networks. The department will use the feedback to inform the next iteration of the CMMC, which officials plan to publish in the first week of November, Lord said during a press conference on Friday. After another round of public comments, the Pentagon will release the final framework sometime in January, and contracting officers will start assimilating certifications into the acquisition process by summer 2020, she said.

The Hill
October 18, 2019
Pennsylvania will launch a pilot of an election security audit in Philadelphia and Mercer County after the November elections, the Pennsylvania Department of State announced this week.  The risk-limiting audit is designed to check the accuracy of election outcomes. It will use security measures new to the state and much of the country, according to the Pennsylvania Department of State. "This pilot project will allow us to explore audit procedures that will further strengthen Pennsylvania's election security profile and provide confidence to the voters that their votes are being counted accurately," acting Pennsylvania Secretary of State Kathy Boockvar (D) said in the announcement. The state department will work with local officials to conduct the audit using new paper-based voting systems in Mercer County and Philadelphia.

AP
October 17, 2019
The city of Baltimore is set to purchase $20 million in cyber insurance coverage, five months after an attack hobbled its computer network. The city’s Board of Estimates on Wednesday approved the purchase of two $10 million policies. The premiums will total $835,000. The move comes after hackers in May demanded about $76,000 in ransom after freezing key computer systems. Online payments, billing systems and email were down, and property transactions came to a stop, exasperating home sellers and real estate professionals. The city refused to pay the ransom, but recovery has been estimated at about $18 million. City officials said 17 insurers entered the bidding process. Chubb Insurance and AXA XL Insurance were selected.

The Tampa Bay Times
October 17, 2019
How vulnerable are Florida government agencies to a cyberattack? It’s a question state leaders hope to be able to answer by this time next year. The state’s newly-appointed Florida Cybersecurity Task Force convenes next week to begin a year-long analysis of the state’s cybersecurity health. Its goal is to identify areas for improvement and prioritize digital threats against the state. “These threats continue to increase in complexity,” said Eman El-Sheikh, director of the University of West Florida Center for Cybersecurity. “We need to be prepared with a long-term solution that not only keeps our information and citizens secure, as well as our critical infrastructure, but maintains that in years to come.” Chaired by Lt. Gov. Jeañette Nunez, the committee consists of 13 members from both the public and private sectors who have backgrounds in security. El-Sheikh is one of seven private sector members appointed by Gov. Ron DeSantis at the end of September. She joins security experts from sectors including health care, energy, entertainment and retail.

Fifth Domain
October 16, 2019
U.S. Cyber Command is working with the energy sector and the Department of Energy as a way to bolster their relationship in case of a malicious, or catastrophic, cyberattack. Cyber Command follows a philosophy of persistent engagement — the notion that it has to be in constant contact with adversaries in friendly, neutral and enemy cyberspace — and officials have stressed this includes enabling other partners. It also includes using its unique authorities to operate outside U.S. networks as a way to provide warning for domestic agencies about potential threats. Now, the Department of Defense and Cyber Command are working on a pathfinder effort with DOE. As part of the initiative, the Pentagon has tasked staffers with better understanding how the energy sector operates. The exercise, called Grid X, examined a catastrophic power failure, Maj. Gen. Stephen Hager, deputy commander of the Cyber National Mission Force, said during an Oct. 15 panel at the annual Association of U.S. Army conference.

Reuters
October 16, 2019
The United States carried out a secret cyber operation against Iran in the wake of the Sept. 14 attacks on Saudi Arabia’s oil facilities, which Washington and Riyadh blame on Tehran, two U.S. officials have told Reuters. The officials, who spoke on condition of anonymity, said the operation took place in late September and took aim at Tehran’s ability to spread “propaganda.” One of the officials said the strike affected physical hardware, but did not provide further details. The attack highlights how President Donald Trump’s administration has been trying to counter what it sees as Iranian aggression without spiraling into a broader conflict. Asked about Reuters reporting on Wednesday, Iran’s Minister of Communications and Information Technology Mohammad Javad Azari-Jahromi said: “They must have dreamt it,” Fars news agency reported. The U.S. strike appears more limited than other such operations against Iran this year after the downing of an American drone in June and an alleged attack by Iran’s Revolutionary Guards on oil tankers in the Gulf in May.

Fifth Domain
October 14, 2019
An eighth iteration of the Pentagon’s bug bounty program discovered a critical vulnerability in Department of Defense systems. HackerOne, the ethical hacking company partnered with the DoD for penetration testing, announced Oct. 14 it completed the Pentagon’s “Hack the Proxy” program, which allowed white hat hackers to probe the department’s Virtual Private Networks, virtual desktops and proxies. The hackers found 31 vulnerabilities. Nine were considered “high severity" and 21 were “medium/low severity." The release did not offer any additional details on the critical vulnerability found. Last year, an Army secure file sharing site was taken offline because a critical vulnerability was found through a similar disclosure program. The goal was to find “find places where the many external DoDIN [Department of Defense Information Network] touchpoints might be used by adversaries to surveil information that is internal to the network.”

C4ISRNet
October 14, 2019
In what senior officials described as one of the most historic and significant days for the Air Force, the service officially created its first information warfare entity, known as 16th Air Force, Air Forces Cyber, during an Oct. 11 ceremony at Lackland Air Force Base, in San Antonio, Texas. The event included several former commanders of 24th and 25th Air Force, Rep. Will Hurd, R-Texas, Deputy Assistant Secretary of Defense for Cyber Burke “Ed” Wilson, himself a former 24th commander, Lt. Gen. VeraLinn “Dash” Jamieson, deputy chief of staff for ISR and cyber effects operations and Lt. Gen. (s) Mary O’Brien who most recently was the commander of 25th Air Force and will replace Jamieson when she retires in November. The Air Force deactivated 24th Air Force and 25th Air Force combining their functions into the new numbered Air Force, a move that has been in the works for several years. The change is aimed at modernizing the Air Force for a new age of warfare, one officials described has shifting from one of attrition to cognition.


INDUSTRY

Gov Info Security
October 18, 2019
The Sodinokibi ransomware-as-a-service operation appears to be making a killing, with proceeds flowing both to the gang behind the malware as well as dozens of affiliates. Also known as REvil and Sodin, Sodinokibi has lately seized the RaaS mantle from GandCrab, after the administrators of that criminal scheme announced their retirement on May 31, boasting that their affiliates had earned more than $2 billion. Security firm McAfee has been tracing where Sodinokibi payments go, aided in part by each infection generating its own, unique bitcoin wallet if victims pay, with the average ransom demand working out to about 0.45 bitcoin, worth $4,000. Based on following the money, McAfee researchers have found that the RaaS operation appears lucrative in the extreme.

CyberScoop
October 18, 2019
Microsoft on Friday said it was establishing a bug bounty program for its open-source election software, the latest move by the tech giant to try to bolster election security. Microsoft is inviting researchers from anywhere and any background — whether elite industry professionals, tinkerers, or students — to find “high-impact vulnerabilities in targeted areas” of its ElectionGuard Software Development Kit, said Jarek Stanley, a senior program manager at the Microsoft Security Response Center. Researchers can make up to $15,000 per bug they find and share through Microsoft’s coordinated vulnerability disclosure (CVD) program. They are being asked to hunt for bugs that could affect the integrity of data in the ElectionGuard software, including for example, the kit’s implementation of cryptography. Big tech companies from Microsoft to Apple to Google all have bug bounty programs, but they are much rarer in the election security space. Voting equipment vendors, for example, are setting up a CVD program but have yet to pursue bug bounty policies.

Ars Technica
October 17, 2019
Google is temporarily increasing the rewards it pays for hacks that exploit holes in a beefed-up security protection that debuted in desktop versions of Chrome last month. Chrome for Android, meanwhile, is receiving a slimmed-down version of the same protection. For a limited time, Google will boost its normal bounty amounts for exploits that allow one site the browser is interacting with to steal passwords or other sensitive data from another accessed site. Google is also broadening its vulnerability reward program to include bugs in Blink—the core software that Chrome uses to render HTML and other resources—that allow similar types of cross-site data thefts. The changes come a month after the release of Chrome 77, which quietly strengthened an existing protection known as site isolation. Google developers first added site isolation in July 2018 in a highly ambitious engineering feat that required major architectural changes to the way the browser worked under the hood.

Gov Info Security
October 17, 2019
Eighteen technology companies have formed the Open Cybersecurity Alliance to foster the development of open source tools to improve interoperability and data sharing between cybersecurity applications. But some observers say getting all the players to agree on a common platform will be challenging. The initial open source content and code will come from IBM and McAfee, which has been spearheading the project. The new alliance was formed under the auspices of OASIS, a consortium driving the development, convergence and adoption of open standards. It was launched as an OASIS Open Project on Oct. 8. In addition to IBM and McAfee, initial members of the alliance include: Advanced Cyber Security Corp., Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient and Tufin. The group says it will continue to welcome new members.

CNet
October 15, 2019
Facebook is putting its money where its mouth is on security and privacy, announcing Tuesday that it'll be expanding several of its bug bounty programs, including bonus payouts for rare vulnerabilities. In a series of blog posts, the social network said it would be giving security researchers more ways to find and disclose flaws in third-party apps and websites that integrate with Facebook. Researchers will no longer be limited to "passively observing the vulnerability," Facebook's engineering security manager, Dan Gurfinkel, said in a statement. The bug bounty hunters will now be able to actively test these third-party apps for security issues, as long as the third party authorizes the researchers, Facebook said. Think of it as the difference between finding a bug through observing traffic from a third-party app versus security researchers looking for ways a third-party app could abuse your data. "This change significantly increases the scope of the security research that our bug bounty community can share with us and get rewarded for when they find potential vulnerabilities in these external apps and websites," Gurfinkel said.

Gov Info Security
October 15, 2019
Mailing equipment manufacturer Pitney Bowes says it has been hit by file-encrypting malware, disrupting customers' ability to use many services. But the firm says that no client data appears to have been compromised. The company, based in Stamford, Connecticut, offers a number of mailing and postage services, including manufacturing widely used postal meters and shipping software. "At this time, the company has seen no evidence that customer or employee data has been improperly accessed," Pitney Bowes says in a statement posted on its website. But it says that as a result of the ransomware attack, many of its online offerings remain inaccessible, including customers' ability to access its postage supply web store as well as to automatically upload envelope-printing transactions from machines, which they typically do at least once every day and once daily after hours. "If you have funds on your meter you will be able to process mail," the company advises postage meter users. "Until the system is restored you will not be able to refill your system."

Reuters
October 14, 2019
U.S. private equity firm Thoma Bravo is adding Sophos Group to its cybersecurity stable, announcing on Monday a buyout deal that values the British maker of antivirus and encryption products at about $3.8 billion. The takeover price of 583 pence per share represented a 37% premium from Sophos's closing price on Friday and Sophos shares surged nearly 38% on news of the deal. Sophos, whose customers include Under Armour Inc, Ford Motor Co and Toshiba Corp, listed in 2015 at 225 pence per share and has seen its market value double since then, despite a tough 2018. Thoma Bravo's move for Sophos trails several other buyout deals by U.S. funds drawn toward the UK as the pound weakened ahead of Brexit. Shares of rival Avast also rose after the Sophos deal was announced. Sophos CEO Kris Hagerman told Reuters that his company had first been approached by Thoma Bravo in June. "The (Sophos) board ultimately concluded that this offer and the acquisition can accelerate Sophos' progress in next-generation cybersecurity," Hagerman said.


INTERNATIONAL

Infosecurity Magazine
October 18, 2019
The UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors. Although details are few and far between at this stage, the government claimed that the project could help to protect more UK businesses from remote cyber-attacks and breaches, while boosting new business opportunities and productivity. According to the government’s own data, around 60% of mid-sized and 61% of large businesses in the UK have suffered a cyber-attack or breach over the past year. The Arm tie-up is part of the government’s Digital Security by Design initiative, also backed by Microsoft and Google. "Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyber-threats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite. Alongside this push, the government announced a further £18m through its Strategic Priorities Fund, designed to help tackle online fraud, privacy abuses and misinformation online.

Wired
October 17, 2019
Just before 8 pm on February 9, 2018, high in the northeastern mountains of South Korea, Sang-jin Oh was sitting on a plastic chair a few dozen rows up from the floor of Pyeongchang's vast, pentagonal Olympic Stadium. He wore a gray and red official Olympics jacket that kept him warm despite the near-freezing weather, and his seat, behind the press section, had a clear view of the raised, circular stage a few hundred feet in front of him. The 2018 Winter Olympics opening ceremony was about to start. For more than three years, the 47-year-old civil servant had been director of technology for the Pyeongchang Olympics organizing committee. He'd overseen the setup of an IT infrastructure for the games comprising more than 10,000 PCs, more than 20,000 mobile devices, 6,300 Wi-Fi routers, and 300 servers in two Seoul data centers. That immense collection of machines seemed to be functioning perfectly—almost. Half an hour earlier, he'd gotten word about a nagging technical issue. The source of that problem was a contractor, an IT firm from which the Olympics were renting another hundred servers. The contractor's glitches had been a long-term headache. Oh's response had been annoyance: Even now, with the entire world watching, the company was still working out its bugs? Ten seconds before 8 pm, numbers began to form, one by one, in projected light around the stage, as a choir of children's voices counted down in Korean to the start of the event. In the middle of the countdown, Oh's Samsung Galaxy Note8 phone abruptly lit up. He looked down to see a message from a subordinate on KakaoTalk, a popular Korean messaging app. The message shared perhaps the worst possible news Oh could have received at that exact moment: Something was shutting down every domain controller in the Seoul data centers, the servers that formed the backbone of the Olympics' IT infrastructure.

CyberScoop
October 17, 2019
One of the Kremlin-linked hacking groups that breached the Democratic National Committee in 2016 has remained active in the years that followed, even if it’s been less visible. Cozy Bear, also known as APT29 and the Dukes, began using different malicious software and new hacking techniques after 2016, according to findings published Thursday by the Slovakian security firm ESET. There wasn’t much public evidence of the group’s activity, but researchers say it did not go quiet after interfering in the U.S. presidential election. The hackers targeted U.S. think tanks in 2017, defense contractors in 2018 and three European countries’ ministries of foreign affairs. (The U.S. security firm FireEye suggested in November that Cozy Bear was showing signs of activity.) “Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” ESET said in its report. “The Dukes were able to fly under the radar for many years while compromising high-value targets, as before.”

Axios
October 17, 2019
China is applying tougher cybersecurity standards more widely as of Dec. 1, requiring companies to open their networks and deploy government-approved equipment. The changes worry international organizations and underscore the difference between U.S. and Chinese approaches to cybersecurity. China already has a law, applying to the most secure networks, that allows the government to audit private business networks and mandates the use of government-approved security equipment. That law will now apply to all networks. "It’s going to be incredibly invasive," said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. China's cybersecurity law has been on a slow rollout since 2017. Clarifications of standards serving as de facto regulations were introduced in May this year.

Haaretz
October 16, 2019
Should graduates of Israel Defense Forces technology units be able to use the knowledge and skills they gained during their service to work for an Arab cyber firm with close ties to a dictatorial regime that does not have diplomatic relations with Israel? Strange as the question may sound, there is growing evidence that such a thing is occurring. Even though it is not widespread, some say the defense establishment is growing increasingly worried. DarkMatter, a cybersecurity company formed in 2015 in Abu Dhabi, part of the United Arab Emirates, officially limits itself to cyber defense. But according to a Reuters expose published earlier this year, DarkMatter provides hacking services to the UAE intelligence agency against Western targets, journalists and human rights activists. The company operates an office in Cyprus, which among other things employs Israeli software developers. “That is de facto smuggling of Israeli intellectual property without any supervision of the [Israel Defense Ministry’s] Defense Export Controls Agency,” said one source in the Israeli cyber intelligence sector, who asked to be identified only as Y. “They’re taking these young people to Cyprus, buying them off with huge salaries.” Cyberattack researchers’ job is to find vulnerabilities in software and networks in order to break into them. Those with the skills, often acquired while serving in elite units, command some of the highest salaries in Israeli high-tech. Y. claimed DarkMatter pays even more. “I know of researchers who were tempted with salaries of close to $1 million a year,” he said. DarkMatter did not provide a comment by press time.

ZDNet
October 16, 2019
Australian bosses have far more confidence in the cybersecurity of their organisations than their own cyberdefenders, according to newly-released research from Unisys. "What the study found is pretty much a disconnect and lack of communication between the two very important roles of chief information security officer (CISO) and chief executive officer (CEO)," said Gergana Kiryakova, industry director for cyber security at Unisys Australia and New Zealand. "We were expecting some sort of a disconnect, but we were definitely not expecting such a big disconnect," she told journalists in Sydney on Tuesday. The report, “Cybersecurity Standoff Australia,” describes CEOs as "overconfident and out of the loop.” While 63% of surveyed CISOs said their organisation had suffered a data breach over the last 12 months, only 6% of the CEOs thought so.

AP
October 15, 2019
Germany released draft security guidelines on Tuesday for next generation wireless networks that stopped short of banning Huawei, as the U.S. warned again it would reconsider intelligence sharing with allies that use the Chinese company's equipment. The Federal Network Agency catalog of conditions for suppliers of new 5G networks include requiring certification of critical components and ensuring trustworthiness of manufacturers, without singling out Huawei for exclusion. Huawei said it welcomed the German government's move to "create a level playing field" for 5G suppliers, in which "all vendors are equally and fairly welcome to participate in the construction of 5G networks if they fulfill the security requirements." The U.S. has been lobbying allies in Europe to shun Huawei, the world's biggest maker of networking equipment, over worries its equipment might aid Chinese electronic spying, claims the company has repeatedly denied. The Trump administration cut off its access to U.S. technology in May, part of a broader geopolitical feud between Washington and Beijing over technology and trade.

CyberScoop
October 15, 2019
orth Korean government-backed hackers are targeting cryptocurrency exchanges to try to steal financial resources as Pyongyang searches for ways to fund its regime, two researchers discovered within the past week. Lazarus Group, also known as APT38, has carried out hacks against central banks and exploited monetary exchanges as part of an effort to boost Kim Jong-un’s financial and military goals.  The United Nations revealed in August North Korea had gained approximately $2 billion from hacking banks and cryptocurrency companies. This time, they’re using a front company to do it. Researchers Patrick Wardle, the principal security researcher at Jamf, and MalwareHunterTeam, of IDRansomware, a group that aims to help provide guidance on ransomware, found malware affecting Mac and Windows operating systems that installs a backdoor Trojan on victim machines, allowing hackers to gain control of infected targets. The malware asks for administrative privileges during installation, then communicates with a command-and-control server, and can receive instructions from the hackers to run certain tasks, such as uploading files to victim machines or causing the malware to exit, according to Wardle.

AP
October 15, 2019
Chinese telecom company Huawei on Tuesday criticized the Estonian government and media for spreading what it says are "arbitrary and unfounded" allegations about cybersecurity risks related to the company's mobile phones. Hong Yang, head of Huawei's Baltic consumer business, said in a statement that the company "is always ready to defend its rights and interests in a situation where any party is spreading baseless rumors and malicious libel." He referred to an Estonian television program aired in September that discussed the issue in detail. In it, Foreign Trade and Technology Minister Kert Kingo spoke about alleged security risks with Huawei phones. It later was reported that Kingo used a Huawei handset as a work phone, and her ministry announced this week that it has now been replaced by an Apple iPhone.

Ars Technica
October 12, 2019
Mobile phones of two prominent human rights activists were repeatedly targeted with Pegasus, the highly advanced spyware made by Israel-based NSO, researchers from Amnesty International reported this week. The Moroccan human rights defenders received SMS text messages containing links to malicious sites. If clicked, the sites would attempt to install Pegasus, which is one of the most advanced and full-featured pieces of spyware ever to come to light. One of the activists was also repeatedly subjected to attacks that redirected visits intended for Yahoo to malicious sites. Amnesty International identified the targets as activist Maâti Monjib and human rights lawyer Abdessadak El Bouchattaoui.


TECHNOLOGY

CyberScoop
October 18, 2019
Thieves are using malware that masquerades as Tor, the anonymizing internet browser, to steal money from Russian-speaking people on the dark web, researchers said Friday. The operation uncovered by researchers at Slovakian cybersecurity company ESET has netted the unidentified attackers some $40,000 in bitcoin so far, but the amount could be larger. “They likely stole more in Qiwi,” said Robert Lipovsky, a senior malware researcher at ESET, referring to a Russian payment service. The insidious attack is a reminder that hackers can upend the privacy and security users expect from software by tricking them into downloading malicious code. Tor is used by everyone from human rights defenders and journalists to criminals trying to hide activities like drug sales and child pornography from law enforcement. This effort, only the latest malicious operation exploiting users who rely on the software, comes as the Tor Project is seeking to spread awareness about Tor, and increase trust in the notoriously unreliable technology.

Ars Technica
October 17, 2019
A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said. The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013. "The bug is serious," Nico Waisman, who is a principal security engineer at Github, told Ars. "It's a vulnerability that triggers an overflow remotely through Wi-Fi on the Linux kernel, as long as you're using the Realtek (RTLWIFI) driver." The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.

ZDNet
October 16, 2019
The npm ecosystem of JavaScript libraries is more interwoven than most developers think, and the entire thing is a gigantic house of cards, being one bad hack away from compromising hundreds of thousands of projects, according to a recent academic study. The research, carried out by the Department of Computer Science from the Technical University of Darmstadt, in Germany, analyzed the dependency graph of the entire npm ecosystem. Researchers downloaded metadata for all the npm packages published until April 2018 and created a giant graph that included 676,539 nodes and 4,543,473 edges. In addition, academics also analyzed different versions of the same packages, looking at historical versions (5,386,239 versions for the 676,539 packages), but also at the package maintainers (199,327 npm accounts), and known security flaws impacting the packages (609 public reports). Their goal was to get an idea of how hacking one or more npm maintainer accounts, or how vulnerabilities in one or more packages, reverberated across the npm ecosystem; along with the critical mass needed to cause security incidents inside tens of thousands of npm projects at a time.